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BACKGROUND OF THE INVENTION 

Field of the T nvpnhinn 

The present invention relates generally to cryptography and, 
more particularly, to exchanging cryptographic keys between two 
cryptographic units for a single cryptographic session, and to 
digital signature, 

Dfisnriptinn of the Prior Art 

Two mutually-exclusive classes of cryptographic methods and 
protocols are well recognized by those familiar with cryptography, 
symmetric cryptography and public-key cryptography. In symmetric 
cryptographic protocols, the same key and cryptographic method are 
used both for encrypting a plaintext message into cyphertext, and 
for decrypting a cyphertext to recover the plaintext. It is 
readily apparent that the security of a symmetric cryptographic 
protocol can never exceed the security of the single key used both 
for encryption and decryption. 

In conventional public-key cryptographic protocols there are 
two keys, a public key to which anyone can gain access and which is 
used only for encrypting a plaintext message, and a private key 
which only the recipient possesses and which is used only for 
decrypting a cyphertext. For such a public-key cryptographic 
protocol to be secure it must be unfeasible to determine the 
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private key by analyzing the public key. While public-key 
cryptographic systems appear alluring, thus far in practice it has 
been observed that public-key cryptographic methods are signifi- 
cantly slower than symmetric cryptographic methods. In general, it 
5 has been found that public-key cryptographic methods are 1000 times 
slower than symmetric cryptographic methods. Furthermore, present 
□ public key cryptographic methods rely upon difficult but solvable 
gl mathematical problems, e.g. factoring large integers or discrete 

in 

111 logarithms. Such technigues, while providing some security, can be 

if s ; 

... 

jrfkO broken by a cryptanalytic attack that is less exhausting than a 
brute force attack. 

■3 

,>L Managing the distribution of cryptographic keys is the most 

K difficult security problem in using cryptography both for symmetric 
=:f protocols and for public-key protocols. Developing secure 
15 cryptographic methods and protocols is not easy, but making sure 
the keys used with such methods and protocols remain secret is an 
even more difficult task. "Cryptanalysts often attack both 
symmetric and public-key cryptosy stems through their key manage- 
ment." Schneier, Applied Cryptography , Second Edition © 1996 Bruce 

20 Schneier ("Schneier") p. 169. 

For symmetric cryptographic protocols, there are three well 
recognized key management problems. First, a key may be compro- 
mised which permits an eavesdropper who obtains the key either to 
read all the cyphertext, or even to broadcast bogus cyphertext. 
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The only way to alleviate this problem is to change keys fre- 
quently. A second problem for symmetric cryptography key manage- 
ment is that it requires a large number of keys if each pair of 
individuals in a group is to communicate using a different key. 
5 Forty-five unique keys are required if a group of 10 individuals 
are to communicate. Fifty-five unique keys are required for 
communication among a group of 11 individuals. The final problem 
'I* for key management in symmetric cryptographic protocols is that, 
|*j since keys are more valuable than the encrypted messages, the keys 
IMG must be exchanged by a secure communication. One approach for 
s*s securely distributing keys of a symmetric cryptographic protocol is 
P to distribute them using a public-key cryptographic protocol. 
P Whether used with a symmetric cryptographic protocol or with 

in 

p a public-key cryptographic protocol, an encryption key should not 

Q 

15 be used indefinitely. First, the longer a key is used the more 
likely it will be compromised by theft, luck, extortion, bribery or 
cryptanalysis. Extended use of a key aids an eavesdropper because 
that provides more cyphertext encoded with the same key to which 
cryptoanalytic methods may be applied. Second, in general the 

20 longer a key is used the greater the loss if the key is compro- 
mised. Accordingly, it is not uncommon to encrypt each individual 
communication using a separate, session key that is used throughout 
only one particular communication session. 

Schneier at pp. 41-68 provides an overview of protocols for 
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digital signatures, key exchange, and authentication. Schneier at 
pp. 513-522 describes in greater detail various key exchange proto- 
cols that may be used to establish a session key including: 

1. Shamir's Three-Pass protocol which does not use any 
secret or public keys; 

2. a COMSET protocol which uses a public key technique that 
is equivalent to factoring a large integer; and 

3. an Encrypted Key Exchange ("EKE") protocol that may be 
implemented with various different cryptographic methods 
such as: 

a. a Rivest, Shamir and Adleman ("RSA") public-key 
cryptographic method that is described in United 
%m - States patent no. 4,405,829; 

in 

f«i b. an ElGamal public-key cryptographic method; and 

=: l5 c. a Dif f ie-Hellman public-key cryptographic method 

that is described in United States patent no. 

4,200,770. 

United States patent nos. 4,405,829 and 4,200,770 together with 
Schneier are hereby incorporated by reference. 
2 0 While all of the preceding protocols provide some security for 

establishing a symmetric cryptographic key, the various protocols 
require exchanging several, time consuming communications between 
the parties to establish the key. Moreover, those protocols which 
require using a public-key cryptographic method also suffer from 
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the slowness of such methods. Furthermore, the preceding key 
exchange protocols are no more secure than the cryptographic method 
which they employed for key exchange, all of which can be broken by 
cryptanalysis that is less exhausting than a brute force attack • 
5 Protocols for key exchange have been developed that are secure 

against all but a brute force cryptanalytic attack. United States 

f3 Patent No. 5,583,939 ("the '939 patent") describes an exchange 

ill 

£« protocol which establish a session key useful for symmetric 

in 

(H cryptography : 

j=it 0 l. employing known and publicly identified mathematical 

functions ; and 
2. applied to exclusively private data, e.g. numbers. 

O in establishing this one-time key, an eavesdropper can learn both 

ill 

O some of the numerical values selected by the parties in establish- 
15 ing the key, and also learn some of the numerical values computed 
using the known and publicly identified mathematical functions. 
The method disclosed in the '939 patent requires that the four 
known and publicly identified mathematical functions possess no 
inverse. That is, the four known and publicly identified functions 
20 must possess the property that knowing one of the quantities used 
in calculating a quantity and the calculated quantity, it is 
mathematically impossible to compute the other quantity used in 
performing the calculation. While the method disclosed in the '939 
patent is swifter and simpler than previous methods, it requires 
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initially transmitting at least two quantities between the sender 
and the receiver, followed by a single quantity between the 
receiver and the sender. 

Another United States Patent No. 5,987,130 ("the '130 patent") 
5 also describes an exchange protocol which establish a one-time key 
for use in symmetric cryptography: 
P » 1. employing known and publicly identified mathematical 

™f functions; and 

^11 2. applied to exclusively private data, i.e. numbers. 

p£o One of the ways in which the method for establishing a one-time key 
W described in the '130 differs from that described in the '939 
O patent is that an eavesdropper cannot learn any numerical value 
p selected by the parties in establishing the key. That is, the 

p eavesdropper can learn only some of the numerical values computed 

f ? i 

15 using the known and publicly identified mathematical functions. 

For the key exchange protocol described in the '130 patent a 
first of two cryptographic units "T" and "R" wishing to establish 
a cryptographic key "K" initially selects a first quantity "A". 
That same unit then uses a first mathematical function "$ a " and the 

2 0 selected quantity "A" to compute a second quantity "B" = ^(A) . 
The computed quantity B and the function $ x must posses the 
property that knowing the computed quantity B, and the function * 1# 
it is mathematically impossible to compute the selected quantity A. 
That same unit then uses a second mathematical function "$ 2 " and 
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the selected quantity "A" to compute a third quantity "C" = * 2 (A). 

The first unit T or R which selected the quantity A then transmits 

the computed quantity B to the other, second unit R or T, while 

retaining at the first unit T or R the computed quantity C. 
5 Upon receiving the quantity B transmitted by the first unit T 

or R, the second unit R or T first selects a fourth quantity "D." 

Then using a third mathematical function $ 3 together with the 
ifrj selected quantity D, the second unit T or R computes a fifth 
j s ;« quantity "E" = $ 3 (D) . The computed, quantity E and the function $ 3 
|So must possess the property that knowing the computed quantity E, and 

the function $ 3 , it is mathematically impossible to compute the 
O selected quantity D. That same unit then using a fourth mathemati- 

O cal function $ 4 together with the selected quantity D computes a 

ill 

O sixth quantity "F" = $ 4 (D). The second unit R or T which selected 

O 

15 the quantity D then transmits the computed quantity E to the other, 
first unit T or R, while retaining at the second unit R or T the 
computed quantity F. 

Then the second unit R or T uses a fifth mathematical function 
"T 2 " together with the calculated quantity F and the received 

20 quantity B to compute the key "K" = Y 2 (F, B) = Y 2 ($ 4 {D}, . The 

first unit T or R upon receiving the quantity E transmitted by the 
unit R or T then uses a sixth mathematical function T x together 
with the calculated quantity C and the received quantity E to 
compute the key "K" = ^(C, E) = T x ($ 2 {A} , * 3 {D} ) = T 2 (* 4 {D} , * X {A} ) . 
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While the key exchange protocols disclosed both in the '939 
and '13 0 patents permit establishing a session key for symmetric 
cryptography that an eavesdropper cannot crack except by using a 
brute force attack, it has not been possible to extend the 
5 disclosed techniques for use in digital signatures. The inability 
to extend the techniques disclosed in the '939 and ! 130 patents to 
O digital signature appears to arise because the techniques disclosed 
fi^ there avoid using any pre-published, publicly available information 

ill 

in establishing the symmetric cryptographic key. Stated another 

jjlo way, while establishing the cryptographic key each party sends 

~- information to the other party on only one occasion, and therefor 

-;f neither party publishes any information, other than the mathemati- 
cs:? 

P cal functions and the protocol for their use, before establishing 

in 

O the cryptographic key. 
15 

SUMMARY OF THE INVENTION 

An object of the present invention is to provide a crypto- 
graphic key exchange protocol which employs pre-established, 
publicly available information that is provably secure. 
20 Another object of the present invention is to provide a 

cryptographic key exchange protocol that is faster than convention- 
al protocols. 

Another object of the present invention is to provide an 
encryption key exchange protocol that is secure against all but a 
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brute force cryptanalytic attack. 

Another object of the present invention is to provide an 
improved, verifiable digital signature. 

Another object of the present invention is to provide a 
5 digital signature that is secure against all but a brute force 
cryptanalytic attack. 

Briefly, the present invention includes a protocol for 
m cryptographic communication via a communication channel "I" in 
which a sending cryptographic unit "S" transmits onto the communi- 
1:10 cation channel I an encrypted cyphertext message "M." The sending 
**!J cryptographic unit "S" obtains the encrypted cyphertext message "M" 
O by supplying both a plaintext message "P" and a cryptographic key 
p "K" to a first cryptographic device. A receiving cryptographic 

y ? 

O unit "R" receives the cyphertext message M from the communication 

O 

15 channel I, and supplies the cyphertext message M together with the 
key K to a second cryptographic device. The second cryptographic 
device decrypts the plaintext message P from cyphertext message M. 

In one aspect, the present invention is a method by which the 
units S and R mutually establish a key K for a cryptographic 
2 0 session by first exchanging quantities before the sending unit S 
transmits the cyphertext message M. The method includes the 
receiving unit R transmitting for storage in a publicly accessible 
repository a plurality of public quantities. The sending unit S: 

1. retrieves the plurality of public quantities from the 
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publicly accessible repository; 

2. using at least some of the plurality of public quanti- 
ties, computes and transmits to the receiving unit R a 
plurality of sender's quantities; and 

3. using at least one of the plurality of public quantities, 
computes the session key K. 

The receiving unit R, using at least one of the plurality of 
sender's quantities received from the sending unit S, computes the 
session key K. 

In another aspect, the present invention is a protocol for 
communication in which a sending unit S transmits onto the 
communication channel I a message "M" together with a digital 
signature. However, before transmitting the message M and the 
digital signature, the sending unit S transmits for storage in the 
publicly accessible repository a plurality of public quantities. 
In the method of the present invention, a receiving unit R, that 
receives the message M and the digital signature, verifies the 
authenticity of digital signature as follows. The receiving unit 
R: 

1. retrieves the plurality of public quantities from the 
publicly accessible repository; 

2. using the digital signature and the plurality of public 
quantities, obtains at least two (2) results by evaluat- 
ing expressions of at least two (2) different relation- 
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ships; and 

3 . compares both pairs of results obtained by evaluating the 
expressions of the at least two (2) different relation- 
ships . 

Finding that the results obtained by evaluating the expressions for 
at least two (2) different relationships are equal verifies the 
digital signature. 

These and other features, objects and advantages will be 
understood or apparent to those of ordinary skill in the art from 
the following detailed description of the preferred embodiment as 
illustrated in the drawing figure. 

BRIEF DESCRIPTION OF THE DRAWING 

FIG.l is a block diagram depicting a cryptographic system 
which may be employed for secure cryptographic key exchange and 
digital signature via an insecure communication channel, 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

FIG. 1 illustrates a cryptographic system which may be 
employed for cryptographic key exchange that is referred to by the 
general reference character 10. The cryptographic system 10 
includes a sender's cryptographic unit 12a, enclosed within a 
dashed line, and a receiver's cryptographic unit 12b, also enclosed 
within a dashed line. One particular unit has been assigned as the 
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sender's cryptographic unit 12a and another unit has been assigned 
as the receiver's cryptographic unit 12b only for pedagogical 
reasons. In principle, either unit could be the sender or the 
receiver. Each of the cryptographic units 12a and 12b respectively 
5 includes a cryptographic device 14. Each cryptographic device 14 
includes a key input port 16, a plaintext port 18, and a cyphertext 
port 22. 

o 

k P The illustration of FIG. 1 depicts the cyphertext port 22 of 

Ml the cryptographic device 14 included in the sender's cryptographic 

0 - 

fSEO unit 12a as being coupled to a first input port 32 of a first 
*[j transceiver 34a. Consequently, the cyphertext port 22 may supply 
Q a cyphertext message "M" to the first transceiver 34a. The first 
transceiver 34a also includes a first output port 36 from which the 
f«i first transceiver 3 4a transmits the cyphertext message M via an 
"l5 insecure communication channel 38 to a first input port 32 of a 
second transceiver 34b. The insecure communication channel 38 may 
include a telephone link,, a radio link, a microwave link, a coaxial 
cable link, a fiber optic link, or any other communication 
technology that permits transmitting data from a first location to 
2 0 a second location. Thus, for example, while an electronic or 
optical communication technology is presently preferred for the 
insecure communication channel 38, the insecure communication 
channel 38 might also include a messenger service, or a postal 
service. For a telephonic insecure communication channel 38, the 
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transceivers 34a and 34b might each respectively be conventional 
modems. Upon receipt of the cyphertext message M at the first 
input port 32 of the second transceiver 34b, the second transceiver 
34b transmits the cyphertext message M from a first output port 36 
to the cyphertext port 22 of the cryptographic device 14 included 
in the receiver's cryptographic unit 12b. 

Arranged as described above and as illustrated in FIG* 1, the 
cryptographic units 12a and 12b provide a cryptographic system 10 
in which a plaintext message P may be: 

1. presented to the plaintext port 18 of the cryptographic 
device 14 included in the sender's cryptographic unit 
12a; 

2 . encrypted by the cryptographic device 14 into the 
cyphertext message M; 

3. transmitted from the cyphertext port 22 of the crypto- 
graphic device 14 via: 

a. the first transceiver 34a; 

b. the insecure communication channel 38; and 

c. the second transceiver 34b 

to the cyphertext port 22 of the cryptographic device 14 
of the receiver's cryptographic unit 12b; 

4. decrypted by the cryptographic device 14 back into the 
plaintext message P; and 

5 . transmitted from the plaintext port 18 of the crypto- 
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graphic device 14 included in the receiver's cryptograph- 
ic unit 12b. 

Alternatively, though not illustrated in FIG. 1, the crypto- 
graphic system 10 could be arranged so the plaintext message P is 
5 transmitted as a cyphertext message M from the cryptographic unit 
12b to the cryptographic unit 12a. To effect such a reverse 
transmission of the plaintext message P, the cyphertext port 2 2 of 

:<f the cryptographic device 14 included in the cryptographic unit 12b 

tu 

W would be coupled to a second input 42 of the second transceiver 34b 

in 

fHo rather than to its first output port 36. A second output 44 of the 

f = i 

Uj second transceiver 34b would then transmit the cyphertext message 
O M via the insecure communication channel 38 to a second input 42 of 
i5 the first transceiver 34a. A second output 44 of the first 
f'i transceiver 34a, rather than its first input port 32, would then be 
s 15 coupled to the cyphertext port 22 of the cryptographic device 14 
included in the cryptographic unit 12a. Accordingly, in principle 
the cryptographic system 10 illustrated in FIG. 1 is capable of 
being configured for cryptographic transmission of the plaintext 
message P either from the cryptographic unit 12a to the crypto- 
20 graphic unit 12b as depicted in FIG. 1, or from the cryptographic 
unit 12b to the cryptographic unit 12a. 

The precise cyphertext message M transmitted between the 
cryptographic units 12a and 12b depends not only upon the plaintext 
message P, but also upon a. particular cryptographic method employed 
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by the cryptographic device 14 for encryption and/or decryption, 
and upon a cryptographic key "K" respectively supplied to the key 
input port 16 of each cryptographic device 14 • To supply a crypto- 
graphic key K to each cryptographic device 14, both cryptographic 
5 units 12a and 12b in accordance with the present invention 
respectively include a key generator 52 having a key output port 54 
Fsa from which the key generator 52 transmits the cryptographic key K 

Lj 

5:f to the cryptographic device 14 . 

The cryptographic system 10 depicted in FIG. 1 employs a 

nio symmetric cryptographic method for encrypting the plaintext message 

fU 

%il P, and for decrypting the cyphertext message M. Accordingly, in 

Q the illustration of FIG. 1, the cryptographic key K" supplied by 

. so. 

>_ j 5 
-Sir 

O the key generator 52 to the cryptographic device 14 of the sender's 

til 

p cryptographic unit 12a is identical to the cryptographic key K" 
*'*15 supplied by the key generator 52 to the cryptographic device 14 of 
the receiver's cryptographic unit 12b. Described below is the 
protocol by which the cryptographic units 12a and 12b may mutually 
establish a cryptographic key K" in accordance with the present 
invention by exchanging messages between the cryptographic units 
20 12a and 12b via the first transceiver 34a, the insecure communica- 
tion channel 38 and the second transceiver 34b. 
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Secure Key Exchange 

To permit establishing a secure session key to be used during 
communication between the cryptographic units 12a and 12b, a 
quantity source 62 included in the receiver's cryptographic unit 
12b first generates the following private quantities. 

1. a first private, three-element vector a = (a w a 2 , a 3 ) 

2. a private, large integer 1 

3. a second private, three-element vector e = (e : , e 2/ e 3 ) 
The quantity source 62 then transmits the vector a, the large 
integer 1, and the vector e from a quantity output port 64 of the 
quantity source 62 to a quantity input port 65 of the key generator 
52 included in the receiver's cryptographic unit 12b. The quantity 
source 62 then continues to generate and transmit to the key 
generator 52 the following single quantity. 

4. a first three-element vector a = ( a lf a 2 , cc 3 ) 

In addition to transmitting a to the key generator 52, the 
receiver's cryptographic unit 12b also transmits a from a publica- 
tion port 66 of the quantity source 62 for storage in a public 
repository 67 from which anyone may retrieve it. Numbers in all 
the quantities listed above are all integers chosen from a finite 
number set that are preferably obtained using a random number 
generator. Furthermore, the vector items generated by the quantity 
source 62, i.e. a. e and a must be linearly independent. 

After the key generator 52 receives the quantities a. 1, e and 
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a, the key generator 52 computes and also transmits to the public 
repository 67 from a publication port 68 two (2) more quantities 
listed below. 

5. a third three-element vector p 1 = i a x (e + ff > 
5 6. a fourth three-element vector P 2 = l e 

When the sender's cryptographic unit 12a wants to establish a 
secure session cryptographic key K for communication with crypto- 

iss! 

graphic unit 12b, the quantity source 62 of the cryptographic unit 

01 

Jjj 12a generates a private, three-element vector r - (r lf r 2/ r 3 ) of 

Mio random integers chosen from a finite number set. The quantity 

fU 

i(5 source 62 transmits the vector r from the quantity output port 64 
p to the quantity input port 65 of the key generator 52. After the 
Q key generator 52 receives the vector r, the key generator 52 first 
□ retrieves from the public repository 67 through a public-key 
15 retrieval-port 69 the three (3) quantities stored there by the 
receiver's cryptographic unit 12b, i.e. a, P x and F 2 . Having 
retrieved those three (3) quantities, the sender's cryptographic 
unit 12a then computes two vector (2) quantities listed below. 
V 1 = a x r 
20 V 2 = 1 e x r 

After computing the two vector quantities V 1 and V 2 , the key 
generator 52 of the sender's cryptographic unit 12a then transmits 
them to the receiver's cryptographic unit 12b via an output port 
72, the first transceiver 34a, insecure communication channel 38, 
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second transceiver 34b and an input port 74 of the key generator 
52. 

After the receiver's cryptographic unit 12b receives the 
vector quantities V a and V 2 , the cryptographic units 12a and 12b 
5 then possess all the data needed to independently establish the 
session cryptographic key K. The receiver's cryptographic unit 12b 
computes the session cryptographic key K as follows. 

£ _ 2 a • (« x r) p x r . a 

Ul The sender's cryptographic unit 12a computes the session crypto- 

U] 

IniO graphic key K as follows. 

:jj K = 1 a X (e + a) . r 

a 

P Because the cryptographic system 10 includes the insecure 

f« coinmunication channel 38, an eavesdropper 82, which is not included 

in . . . 

in the cryptographic system 10 and which is enclosed within a 

""15 dashed line in FIG. 1, may receive all of the communications 

between the cryptographic units 12a and 12b. Furthermore, the 

eavesdropper 82 has access to the public quantities stored in the 

public repository 67. The eavesdropper 82 includes a cryptographic 

device 14 which is functionally identical to, and may in principle 

20 be the same as, the cryptographic device 14 included both in the 

cryptographic units 12a and 12b. Therefore, if the eavesdropper 82 

were able to determine the cryptographic key K using a key cracker 

84 (e.g. by applying an inverse function to the quantities 

communicated between cryptographic units 12a and 12b during key 
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exchange and/or to the public quantities stored in the public 
repository 67) and supply the cryptographic key K to a key input 
port 16 of the cryptographic device 14, the eavesdropper 82 could 
decrypt the cyphertext message M to read the plaintext message P. 
5 Furthermore, if the eavesdropper 82 possesses the cryptographic key 
K, the eavesdropper 82 could then also transmit bogus cyphertext 
message M either to the sender's cryptographic unit 12a, to the 

LI 

\0 receiver's cryptographic unit 12b, or to both. 

01 

Ul In 182 6 Neils Henrik Abel proved that a general equation of 

in 

ffj.0 fifth or higher order can not be express in terms of radicals. In 

hi 

ig other words, such an equation can not be solved using purely 
p algebraic means. For the real number system, such an equation can 

^ be solved using complex numbers, or a numerical approximation. 

fen? 

^ However, such techniques are inapplicable to discrete, finite 

h h.5 number system used for cryptography. 

(C.N., I have created the hypothetical text set forth in 
the following paragraph from the text in your August 12, 
2000, facsimile. Please check its accuracy.) 

20 Using all three (3) public quantities, i.e. 4, 5 and 6 above, 

stored in the public repository 67 by the cryptographic unit 12b 
and the two vector quantities V x and V 2 which the cryptographic unit 
12a transmits to the cryptographic unit 12b, solving for a, one 
private quantities retained by cryptographic unit 12b, requires 

25 solving an equation that includes the vector expression a x (a x 
a) . Expressing the equation that includes the expression a x (a x 
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a) as a set of simultaneous equations and eliminating any pair of 
the quantities a lf a 2/ and a 3 yields an 8th order polynomial in the 
remaining quantity. Since solving analytically for any of the 
quantities a 1# a 2/ and a 3 requires solving an 8th order polynomial, 
5 there exists no analytic method for computing the private, three- 
element vector quantity a from the public and transmitted quanti- 
?s% ties. 

H] Verifiable Digital Signature 

Ui 

PLo The preceding key exchange protocol may be augmented with 

fy 

\\3 additional quantities that allow the cryptographic unit 12b to 

fe 

p append verifiable digital signatures to transmitted messages. 
O First, in addition to selecting private, three-element vector a, 

p the quantity source 62 of the cryptographic unit 12b also selects 

O 

15 a large, private integer m that it provides to the key generator 
52. The quantity source 62 then continues to generate and transmit 
to the key generator 52 a second large integer n. In addition to 
transmitting n to the key generator 52, the receiver's cryptograph- 
ic unit 12b also transmits n from the publication port 66 of the 

2 0 quantity source 62 for storage in a public repository 67 from which 
anyone may retrieve it. Using the integer m, the key generator 52 
then computes and transmits to the public repository 67 three (3) 
additional public vectors . 

7. a fifth three-element vector S x = a x (a x a) 
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8. a sixth three-element vector S 2 = m a x (a x (a x a) ) 

9 . a seventh three-element vector 

<j 3 _ m (a . a) <a x (a x a) ) 

Having stored the vectors S 1 , S 2 and S 3 in the public reposito- 
5 ry 67, the cryptographic unit 12b may then append a digital 
signature to a message, either the plaintext message P or the 
?s * cyphertext message M, in the following way. Assuming that the 

%iS cryptographic unit 12b wants to append a digital signature to the 

CH 

plaintext message P, it first hashes the message P to obtain a 

In 

fULO three element vector p. After establishing the vector p, the 

U3 cryptographic unit 12b then appends to the plaintext message P as 

O the digital signature the following three element vector • 

m ( (a. p) ^n) a + a x p 

(4 After retrieving the public quantities that have been stored 

"15 in the public repository 67, anyone receiving the plaintext message 
P to which the cryptographic unit 12b has appended the digital 
signature can verify the signature's authenticity by evaluating and 
comparing the two following verification expressions. 

1 . m ( ( ( a * P) An ) a + a x P) . a jc ( a jc B ) 

2Q ^j. m a X (ax( axff )) • P 

2. m ( ( ( a - P)" n ) a + a x P) • is x { a x a )) x a 
m - (a . a ) a x (a x a) . p 

Finding that the quantities obtained by evaluating the two 
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expressions on both sides of the "=9=" in verification relationship 

no. 1 above are identical, and also finding that the quantities 
obtained by evaluating the two expressions on both sides of the fy* 

in verification relationship no. 2 above are identical, verifies 
5 the digital signature. 
j3 The first expression set forth above prevents a forger from 

p« appending a known quantity m a x p to the plaintext message P as the 

in 

u * signature. The second expression ensures that the cryptographic 

fll . .... 

p unit 12b has used the private vector a in computing the digital 
%ii 10 signature. 

iff Considering the public non-linear quantity that includes the 

£5 term ax (e x a) , solving for the private, three-element vector a 

Ul 

p requires finding the roots of at least an 8 th order polynomial. For 

8 

the reason stated above, there exists no analytic method for 
15 finding the roots an 8 th order polynomial. Consequently, 
cryptanalysts can find the private, three-element vector a only by 
brute force. 

There exist additional expressions which may be used to 
establish other verification relationships in addition to the two 
20 set forth above. However, two such verification relationships 
appear to be sufficient to ensure that the cryptographic unit 12b 
has appended the digital signature to the message. 

Although the present invention has been described in terms of 
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the presently preferred embodiment, it is to be understood that 
such disclosure is purely illustrative and is not to be interpreted 
as limiting. For example, as those skilled in the art will 
understand, after the cryptographic units 12a and 12b have estab- 
5 lished the session key K in accordance with the present invention, 
either of the cryptographic units 12a or 12b may send or may 
receive cyphertext messages M ± from the other in any arbitrary 
su order. Analogously, while the digital signature technique may be 
111 used with the plaintext message P, it may also be used to authenti- 

yi 

fiJLO cate the cyphertext message M. Consequently, without departing 

ru 

J3 from the spirit and scope of the invention, various alterations, 

f*% modifications, and/or alternative applications of the invention 

fi will, no doubt, be suggested to those skilled in the art after 

^ having read the preceding disclosure. Accordingly, it is intended 

... 

* a£ 15 that the following claims be interpreted as encompassing all 
alterations, modifications, or alternative applications as fall 
within the true spirit and scope of the invention. 



- 24 - 



